Burgers & Collecting pii

10496861099?profile=RESIZE_400xWellington Whimpy used to say, “I'll gladly pay you Tuesday for a hamburger today.” The manager of a State of Illinois White Castle restaurant is seeking enforcement of the state's biometric data privacy law on behalf of all the chain's employees for what she claims is a decade of violations. The proposed class-action lawsuit against the fast-food chain, known for its hamburgers, alleges that fingerprint scans used to access restaurant computer systems violate the State of Illinois Biometric Information Privacy Act (BIPA).  Today is Tuesday and the Illinois Supreme Court is set to hear the case of Cothron v. White Castle.[1]

The term "biometric data" covers a variety of cyber-related identifiers, including fingerprints, retinal scans, voice patterns, signatures, and facial recognition.  The plaintiff and restaurant manager, Ms. Cothron, claims that White Castle implemented a fingerprint scanning system to access pay stubs and work computers around 2004.   The company allegedly did not obtain employees' consent to collect and store their biometric data until 2018.  BIPA took effect in 2008, leaving a ten-year gap where it seems White Castle may have improperly collected employee data.[2]  But legally does a BIPA claim accrue each time a person's biometric identifier is scanned and transmitted or only the first time?  On appeal in December 2021, the Seventh Circuit Court of Appeals certified this question to the Illinois Supreme Court for review.

White Castle Could Be held liable for millions.  Under BIPA, a private company cannot "collect, capture, purchase, receive through trade, or otherwise obtain" a person's biometric data without providing notice to that person and obtaining their consent.  White Castle argues that the state statute of limitations precludes Cothron's case, based on the theory that her claim only accrued the first time she scanned her fingerprint into the system after BIPA was passed in 2008, more than a decade before she filed suit.  But Cothron argues that every unauthorized fingerprint scan is a separate violation of the statute. Since Cathron, among other White Castle employees, continued to be required to scan their fingerprints regularly in the subsequent decade, this theory would allow her to bring a claim based on later instances that fell within the statute of limitations.

BIPA provides for statutory damages of up to $1,000 per negligent violation and up to $5,000 for reckless or intentional violations, so acceptance of Cothron's argument could have dire consequences for White Castle.  But this would not be the first big-time payout for a biometric privacy case. In 2021, TikTok's parent company, ByteDance, agreed to hand over $92 million to settle a class-action BIPA lawsuit.

A Legal Question is Presented.  The district court rejected White Castle's theory of the case, but thought the question merited analysis by the Seventh Circuit.  In its opinion, the Circuit court discusses Illinois claim accrual and the elements of a BIPA claim in an effort to decide what rules should apply.  The Illinois Supreme Court has held that the statute of limitations clock begins to tick, "when facts exist that authorize one party to maintain an action against another."  Meanwhile, Section 20 of BIPA lays out the statute's private cause of action, giving anyone "aggrieved by a violation" the right to "recover for each violation."

In defending its stance, White Castle compared the unlawful disclosure of employee biometric data to "publication" under defamation and other privacy torts.  Therefore, White Castle argued that Illinois' single-publication rule, which states that "[n]o person shall have more than one cause of action...founded on any single publication or exhibition or utterance," making Cothron's claim untimely.  But the Seventh Circuit held that "there are reasons to doubt" that the single-publication rule should be applied to Cothron's case.  By its terms, the Uniform Single Publication Act (adopted by Illinois) covers defamation and other traditional privacy torts in published media such as newspapers, television, and radio. But, the ordinary meaning of the word "disclosure" could lead a fact-finder to conclude that only the first transmission of a biometric identifier is actionable.

Since the Illinois Supreme Court begins today to decide whether BIPA claims accrue repeatedly, the Seventh Circuit granted Cothron's request to certify the question to the State Supreme Court.   In January 2022, the Illinois Supreme Court granted White Castle more time to file briefs, extending the deadline to today. 

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization that wishes to share cyber security views from across the Globe.  For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

 

[1] https://www.law360.com/articles/1489357/white-castle-aims-to-whittle-down-bipa-s-scope

[2] https://www.findlaw.com/legalblogs/federal-courts/white-castle-employee-claims-burger-vendor-violated-biometric-privacy-law-for-a-decade/

You need to be a member of Red Sky Alliance to add comments!